malwarewikiaorg-20200223-history
GermanWiper
GermanWiper is a ransomware that targets German victims. It shares some similarities with a recent Sodinokibi ransomware campaign that pushed malicious emails impersonating BSI, the German national cyber-security authority. Behavior GermanWiper behaves more like a wiper than it does as ransomware, Meaning it wipes the hard drive. Payload Transmission GermanWiper is being distributed in Germany through a spam campaign that pretends to be a job applicant named Lena Kretschmer who is submitting their resume. The emails being sent have the subject "Ihr Stellenangebot - Bewerbung job offer - Application - Lena Kretschmer" and contain an attachment titled "Unterlagen_Lena_Kretschmer.zip" posing as a document archive. The attachment contains two files that pretend to be PDF resumes for the sender. Security researcher James found that these PDFs are actually shortcuts (LNK) that execute a PowerShell command to download an HTA file from the expandingdelegation.top site and launch it on the local machine. When the HTA file is executed, it will download the ransomware executable and save it to the C:\Users\Public folder and as an executable with a three-letter file name. The wiper is then launched. Infection When GermanWiper is first executed, it terminates processes associated with the database and other software so that the files can be accessed and wiping becomes possible. The list of terminated processes are below: notepad.exe dbeng50.exe sqbcoreservice.exe encsvc.exe mydesktopservice.exe isqlplussvc.exe agntsvc.exe sql.exe sqld.exe mysql.exe mysqld.exe oracle.exe It then scans the system for files to destroy. When wiping files, it skips files that have certain names, extensions or are located in particular folders. A list of folders spared by the wiping process is available below: windows recycle.bin mozilla google boot application data appdata program files program files (x86) programme programme (x86) programdata perflogs intel msocache system volume information The reason for skipping them is because they are essential for Windows booting properly and for browsing the web. Destroying the data is done by overwriting its content with zeroes. To make it look like an encryption process occurred, each file is appended to its name a random 5 character extension, such as .08kJA, .AVco3, or .Fi2Ed. After completing the deletion process, GermanWiper also removes the shadow volume copies and disables Windows automatic startup repair by launching the following commands: cmd.exe /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures The ransomware also creates a ransom note named Fi2Ed_Entschluesselungs_Anleitung.html that is automatically opened at the end of the wiping procedure. Here, victims find instructions to pay 0.15038835 bitcoins, or approximately $1,600, to the listed bitcoin address. The ransom note reads: Alle Ihre Dateien wurden verschluesselt! Was ist passiert? Alle Ihre Dateien wurden verschluesselt und sind fuer Sie nicht mehr zugaenglich bis wir diese wieder entschluesseln. Alle verschluesselten Dateien wurden mit der Dateiendung .phnB2 versehen. Bitte folgen Sie unseren Anweisungen, wenn Sie Ihre Dateien zeitnah wieder entschluesseln wollen! Es besteht keine andere Moeglichkeit Ihre Daten wieder zu entschluesseln ausser unseren Anweisungen zu folgen! Ich moechte meine Dateien entschluesseln! Kein Problem! Um Ihre Dateien zu entschluesseln, benoetigen Sie unsere Entschluesselungssoftware, diese steht zum Kauf fuer umgerechnet ca. $1,500 bereit. Der Betrag ist ausschliesslich in Bitcoin an die untenstehende Adresse zu zahlen. Welche Garantien habe ich? Uns interessiert nicht wer Sie sind oder was fuer Dateien Sie auf Ihrem Computer haben, wir sind ausschliesslich daran interessiert Ihnen die Entschluesselungssoftware zu verkaufen. Schlechtes Business spricht sich herum, sollten wir Ihre Dateien nicht entschluesseln, wuerde in Zukunft niemand unsere Entschluesselungssoftware kaufen - Was nicht in unserem Interesse liegt. Wo bekomme ich Bitcoins? Bitcoin koennen Sie schnell und einfach kaufen, z.B mit Kreditkarte, GiroPay oder (SOFORT) Ueberweisung. Es folgt eine Auflistung populaerer Tauschboersen und Bitcoin Marktplaetzen: Coinmama - hxxps://coinmama.com/ Bitpanda - hxxps://www.bitpanda.com/ AnyCoinDirect - hxxps://anycoindirect.eu/ Bitcoin.de - hxxps://www.bitcoin.de/ BTC Direct - hxxps://btcdirect.eu/de-at Es gibt noch weitere moeglichkeiten Bitcoin zu erwerben, sollte keine der gelisteten fuer Sie funktionieren, hilft Ihnen eine kurze Google Suche. Ich habe die Bitcoins gekauft Senden Sie den folgenden Betrag an die fuer Sie generierte Bitcoin Adresse: Betrag 0.15038835 Bitcoin Bitcoin Adresse 17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF Ich habe bezahlt - Was jetzt? Nachdem die Zahlung auf der angegebenen Wallet eingegangen ist und diese 1 Bestaetigung im Bitcoin Netzwerk erhalten hat (30-60 Minuten) aktualisiert sich diese Seite automatisch mit dem Download Link fuer die Entschluesselungssoftware. Bitte folgen Sie den Anweisungen in der Entschluesselungssoftware um sicherzustellen, dass alle Ihre Dateien korrekt entschluesselt werden. Bitte beachten Sie, dass die Entschluesselungssoftware nur speziell fuer Ihren PC und die Dateiendung .phnB2 funktioniert, es ist also sinnlos nach der Entschluesselungssoftware von anderen zu suchen. Weitere Informationen Bitte beachten Sie, dass wir Ihnen eine Frist von 7 Tagen setzen, diese laueft ab am: 09/08/2019. Sollten wir bis dahin keinen Zahlungseingang feststellen, gehen wir davon aus, dass Sie nicht an der Entschluesselung Ihrer Daten interessiert sind und Loeschen den Private-Key fuer Ihren Computer unwiderruflich, in diesem Falle gehen Ihre Daten fuer immer verloren. Beachten Sie, dass nur wir in der Lage sind Ihre Dateien wiederherzustellen, versuchen Sie nicht Ihre Dateien selber zu entschluesseln / wiederherzustellen, im besten Falle verschwenden Sie nur Ihre Zeit, im schlimmsten Falle beschaedigen Sie die verschluesselten Dateien und wir koennen Ihnen beim entschluesseln nicht mehr helfen! Which translates to: All your files have been encrypted! What happened? All your files have been encrypted and are no longer accessible to you until we decode them again. All encrypted files were given the file extension .phnB2. Please follow our instructions if you want to decode your files in a timely manner! There is no other way to decode your data except following our instructions! I would like to decrypt my files! No problem! To decrypt your files, you need our decryption software, which is available for purchase for the equivalent of $ 1,500. The amount is payable exclusively in Bitcoin to the address below. What guarantees do I have? We are not interested in who you are or what files you have on your computer, we are only interested in selling you the decryption software. Bad business gets around, if we do not decode your files, nobody would buy our decryption software in the future - which is not in our interest. Where can I get bitcoins? You can buy Bitcoin quickly and easily, eg with credit card, GiroPay or (IMMEDIATE) transfer. Here is a list of popular barter and Bitcoin marketplaces: Coinmama - hxxps: //coinmama.com/ Bitpanda - hxxps: //www.bitpanda.com/ AnyCoinDirect - hxxps: //anycoindirect.eu/ Bitcoin.de - hxxps: // www.bitcoin.de/ BTC Direct - hxxps: //btcdirect.eu/de-at There are other ways to buy Bitcoin, if none of the listed ones work for you, a short Google search will help you. I bought the bitcoins Send the following amount to the bitcoin address generated for you: Amount 0.15038835 Bitcoin Bitcoin Address 17vH1YT63jRTavNQRGGsP49xjzZtZsxNRF I have paid - what now? After the payment has been received on the specified wallet and has received 1 confirmation in the Bitcoin network (30-60 minutes), this page automatically updates itself with the download link for the decryption software. Please follow the instructions in the decryption software to make sure that all your files are decrypted correctly. Please note that the decryption software works only for your PC and the file extension .phnB2, so it makes no sense to look for the decryption software of others. additional Information Please note that we set a period of 7 days, this will take place on: 09/08/2019. If we do not find any payment until then, we assume that you are not interested in the decryption of your data and delete the private key for your computer irrevocably, in which case your data is lost forever. Note that only we are able to recover your files, do not try to decrypt / restore your own files, in the best case you only waste your time, in the worst case you will damage the encrypted files and we will no longer be able to decrypt them help! The information is also given to victims through a desktop wallpaper that the malware enables on infected machines. The wallpaper translates to: YOUR FILES WERE CLOSED OPEN phnB2_encrypt_manual.html TO FIND OUT HOW TO RETRIEVE YOUR FILES! The wiper executable contains 36 base64-encoded bitcoin addresses. The malware selects one at random for each victim. While the ransom note suggests that the bitcoin addresses are unique per victim as seen by the translated text "Send the following amount to the Bitcoin address generated for you", the wiper just chooses any of these hardcoded addresses. The ransom note for this wiper includes a bit of JavaScript at the bottom that is executed every time the user opens the note. This script connects to the wiper's C2 server and sends the bitcoin address associated with the victim and other information. As the ransom note is automatically opened by the wiper at the end of execution, the attacker uses this script to track the amount of victims. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan Category:Wiper Category:Win32 wiper Category:JavaScript